So........these draytek firewalls then.

[badass]

Supposedly stateful.

I create a rule like allow all traffic from the lan on a port over 1024 TCP to somewhere on the internet on port 80 TCP
I create another rule to allow anything on the internet originating from port 80 going to anything above port 1024 on a host in the LAN. I click the keep state checkbox so in theory only traffic related to outgonig traffic is allowed in (in this case website related traffic)
Does this not seem a little...haphazard? How do I ensure that rule 2 only allows traffic related to rule 1?

How about creating rule 1 and instead of the stupid keep state checkbox they have allow related traffic in the opposite direction?
Am I missing something here?

[badass]

Supposedly stateful.

I create a rule like allow all traffic from the lan on a port over 1024 TCP to somewhere on the internet on port 80 TCP
I create another rule to allow anything on the internet originating from port 80 going to anything above port 1024 on a host in the LAN. I click the keep state checkbox so in theory only traffic related to outgonig traffic is allowed in (in this case website related traffic)
Does this not seem a little...haphazard? How do I ensure that rule 2 only allows traffic related to rule 1?

How about creating rule 1 and instead of the stupid keep state checkbox they have allow related traffic in the opposite direction?
Am I missing something here?

Can someone confirm I have things right or if I have the wrong idea?

[toolsong]

Dude you need to be over here
http://www.forum.draytek.co.uk/

[Moby-Dick]

Firewall rules are always processed in order (usually with a default action after processing the rule ) if it helps

also make sure you know which way the firewall sees as IN and OUT

[gary_rip]

you can always call them up as in the past i have dealt with their support and they are always very knowledgeable

[badass]

I've sent an email to their tech support. I'm pretty sure thats what they told me over the phone the last time I talked to them.
Moby - I've confirmed the IN and OUT thing ages ago and i do use a "default block all" rule at the end of my rules.

The problem I have had is I got fed up with setting up the security properly (i.e. block everything apart from what I explicitly allow in AND out) sinece no game made these days is designed with that in mind. Like BF2 for instance. You simply cant create firewall rules to allow it to work since it allows the server to specify the port
and before anyone points me to various webpags with port lists, yes I have seen them, but none of them mention this server specifying port feature.

So I gave up on proper security and went for convenience and decided to set an allow all outgoing rule and the corresponding allow all incoming related rule.
I then tested it and BF2, WoW etc worked fine. I then got a probe done on it from an external source - it passed.

several daya later I find its been allowing all traffic in, whether related or not!
My unsecured FTP server (that was as it was behind a hardware firewall) has 3 gigs of cr@p I didn't put on it and one of the PC's that was behind it has a virus of some sort since I've just had an abuse report.
Fortunately its not any of the important machines since they all have the windows firewall enabled through group policy and dont allow much in thats not from the local subnet.
Still got to find this rogue machine though.

[Moby-Dick]

tricky one - I've never had hideous ammounts of luck with the draytek firewall , though I'm sure its just a checkbox I'm missing somewhere.

why not do belt and praces and set up a vmware box with a ipchains f/w

you can download preconfigured vm's from their website which might do it

[badass]

tricky one - I've never had hideous ammounts of luck with the draytek firewall , though I'm sure its just a checkbox I'm missing somewhere.

why not do belt and praces and set up a vmware box with a ipchains f/w

you can download preconfigured vm's from their website which might do it

In an Ideal world I would probably do that, but the machines that are left on 24/7 dont have enough spare memory to run a VM and the machine with 4 CPU's and 4 GB's isn't left on 24/7 as it uses so much power, all of the lights in the street dim when its switched on :wack:

However after some email correspondance with a draytek support engineer, I have confirmed I was right in how I setup the rules. They just didn't work as they should have.

[Moby-Dick]

a cut down linux firewall VM isn't gon to take much power tbh.

think of somethign smoothwall / m0n0wal based and hos lightweight those distros are

[badass]

a cut down linux firewall VM isn't gon to take much power tbh.

think of somethign smoothwall / m0n0wal based and hos lightweight those distros are

Its more the installation of VMware TBH.
Also, connecting a computer thats used as anything more than a firewall directly to the internet scares me. I like the reassurance that all traffic has to pass through a firewall before it can get to any machines. Yes I know - fat lot of god thats done me so far

[FordPrefect]

If its truly a stateful firewall then you shouldn't need to add a rule for traffic back. The firewall should create a new connection in its state table for the outgoing traffic and then statefully allow the traffic that is part of that session back into the network. That worked on the old draytek 2600 routers but it didn't seem to have a big enough connection table as bittorant would kill other connections off.